Data Protection Policy
Purpose
This policy outlines many of the procedures and technical controls in support of data protection.
Scope
Production systems that create, receive, store, or transmit OllyGarden, Inc. customer data (hereafter "Production Systems") must follow the requirements and guidelines described in this policy.
Roles and Responsibilities
Policy
OllyGarden, Inc. policy requires that:
Data Protection Implementation and Processes
Customer Data Protection
OllyGarden, Inc. hosts on "Google Cloud Platform (GCP)" in the eu-west-4 region by default. Data is replicated across multiple regions for redundancy and disaster recovery.
All OllyGarden, Inc. employees adhere to the following processes to reduce the risk of compromising Production Data:
Access
OllyGarden, Inc. employee access to production is guarded by an approval process and is disabled by default. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case by case basis.
Separation
Customer data will be logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer, where the client must authenticate with a chosen account, and then the customer's unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include the account identifier.
Alternatively, dedicated resources (database, compute) will be allocated to each customer so that customers cannot impact or access data or resources of other customers.
Data Leakage Prevention
OllyGarden, Inc. will implement data leakage prevention mechanisms to systems that process, store or transmit sensitive information. These mechanisms will be configured to prevent data leakage (e.g., through email or other messaging technologies) and generate audit logs and alerts.
Monitoring
OllyGarden, Inc. uses Google Cloud Platform, and Grafana Cloud to monitor the entire cloud service operation (monitoring and internal reporting capabilities are used to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls). If a system failure and alarm are triggered, key personnel are notified by text, chat, and/or email message to take appropriate corrective action.
OllyGarden, Inc. uses a security agent to monitor production systems. The agents monitor system activities, generate alerts on suspicious activities, and report on vulnerability findings to a centralized management console.
Confidentiality/Non-Disclosure Agreement (NDA)
OllyGarden, Inc. uses confidentiality or non-disclosure agreements to protect confidential information using legally enforceable terms. NDAs are applicable to both internal and external parties. NDAs will have the following elements:
Data At Rest
Encryption
All databases, data stores, and file systems are encrypted in accordance with OllyGarden, Inc.'s Encryption Policy.
Storage and Disposal
Stored data must be properly stored and handled while at rest. Considerations for storage and disposal of data at rest in conjunction with OllyGarden, Inc. Asset Management Policy, Data Classification Policy and Data Retention Policy include:
Data Deletion
Stored sensitive data that is no longer required will be properly deleted in accordance with OllyGarden, Inc.'s business objectives, retention policies, applicable laws and regulations, and relevant third-party agreements. A record of such deletion will be kept.
Hard-copy materials with sensitive data will be destroyed when no longer needed for business or legal reasons through secure means (e.g., shredding, pulping, incinerating, etc.) so that the data cannot be reconstructed. Hard copy materials will be stored in secure storage containers prior to destruction.
Electronic media with sensitive data will be destroyed or rendered unrecoverable when no longer needed for business or legal reasons. Data on hardware (e.g, hard drives) will be disposed of through secure means, such as wiping or hard drive destruction.
Data in Transit
Necessity
Data will only be transferred where strictly necessary for effective business processes.
Transfer Factors
Before choosing the method of data transfer, the following must be considered:
Encryption
To ensure the safety of data in transit:
Movement of Media
Information Exchange
Information will be exchanged between OllyGarden, Inc.'s system and other information systems only as authorized through a Privacy Policy Agreement, which include:
The agreement(s) will be reviewed and updated every year, or as needed.
End-user Messaging Channels
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
---|---|---|---|---|---|
1.0 | 02.07.2025 | Yuri Oliveira | Juraci Paixão |